NEWS
Morocco Whistleblower Details Pegasus Spyware Hits on Guardia Civil
A Moroccan intelligence whistleblower says the DGST used Pegasus spyware since 2017 to target journalists, Spanish ministers and Guardia Civil officers.
A former Moroccan intelligence officer has broken years of official denial, revealing that the country’s domestic security service began deploying Pegasus spyware in 2017. The whistleblower, using the pseudonym Safir, describes a four-year campaign that reached journalists, human rights activists, French officials and Spain’s own cabinet.
The testimony anchors a joint investigation by 14 outlets, including Le Monde, Haaretz, El Confidencial, Die Zeit and the Guardian, coordinated by Forbidden Stories with Amnesty International’s Security Lab. Guardia Civil officers sent to train Moroccan counterterrorism units ended up on the target list themselves, and Madrid honored the man suspected of running the operation anyway.
Inside the Rabat Villa Where NSO Made Its Pitch
Rabat has always denied any relationship with NSO Group, the Israel-based maker of Pegasus, and has said journalists investigating the company could never prove a link. Safir’s account, corroborated by two other former Moroccan agents and by leaked material forensically reviewed by Amnesty’s Security Lab, tells a different story.
High-ranking Moroccan intelligence officers and technical experts got their first look at Pegasus in 2017, inside an expensive villa in Rabat that insiders nicknamed “the FSSYS villa.” The name came from FSSYS Maroc, then the Moroccan branch of the UAE-based surveillance intermediary al-Fahad, which frequently used the property for demonstrations.
NSO representatives infected a number of test phones while officers watched, remotely switching on cameras and microphones and pulling data and messages off the devices. Those in the room grasped immediately that Pegasus’s remote-infection power meant they would no longer need physical access to a target’s phone.
Before that, Morocco’s Direction Générale de la Surveillance du Territoire, the country’s domestic intelligence service known as the DGST, worked with far cruder tools. According to Safir, the service leaned on:
- Old-fashioned human intelligence and informant networks
- Monitoring dissidents at internet cafe terminals
- Persuading shopkeepers to sell targets mobile phones preloaded with cheaper spyware
Pegasus was reserved for the costliest, highest-value cases, once those cheaper options had been exhausted. “We never start with Pegasus,” Safir said. “It’s the monster’s weapon.”
The whistleblower described the pricey new tool as effectively a gift, courtesy of the United Arab Emirates.
Millions for the Emiratis, that’s nothing. The Emirates bought it and redistributed it to friendly services. You could say it’s like Netflix: a friend pays for the subscription, and the others use their account.
Safir told the consortium, explaining how Rabat gained access to a tool few security services could otherwise afford. Four unique Moroccan mobile numbers were fed into the system that September, seemingly to test its capabilities, including numbers linked to two DGST staff members.
Within weeks, the numbers of Moroccan journalists and human rights defenders began appearing in the same database. The 2017 demonstration predated the reporting that would eventually show phones belonging to at least 180 journalists were selected in 20 countries by at least 10 NSO clients, from Bahrain and Saudi Arabia to India and Mexico.

Officers Who Trained Morocco’s Spies Became Its Targets
The targeting did not stay inside Morocco’s borders for long. Leaked documents, photographs and testimony from Spanish security forces and a former Moroccan intelligence agent suggest the DGST used its new capability to try to access the communications of Guardia Civil officers who had travelled to Morocco to share counterterrorism expertise.
The personal phone number of one senior Guardia Civil officer appears five times on the list of targets selected for Pegasus surveillance by the end-user believed to be Morocco.
“We spy on everyone,” one former DGST officer told the consortium, adding that the surveillance was carried out “just in case.”
Officers from Spain’s other national police force, the Policía Nacional, use separate mobile devices for sensitive material when travelling to Morocco. The Guardia Civil did not think such precautions were necessary when working with an ally.
“We didn’t do it because we didn’t suspect we would be spied on,” a senior Guardia Civil intelligence officer said. A senior Guardia Civil official called the revelations “a betrayal.”
More Than 200 Spanish Numbers Ended Up on the List
Pegasus project records show more than 200 Spanish mobile numbers were selected for targeting by the user believed to be Morocco. The Spanish numbers are a small slice of a far larger dataset: the original leak examined by Amnesty International and Forbidden Stories in 2021 contained more than 50,000 phone numbers selected by NSO clients worldwide since 2016.
| Target | Role | Country | Year(s) Targeted |
|---|---|---|---|
| Aminatou Haidar | Western Sahara human rights activist | Spain | 2018, again in Nov. 2021 |
| Ignacio Cembrero | Journalist covering the Maghreb | Spain | Listed in leaked database |
| Pedro Sánchez | Prime Minister of Spain | Spain | May 2021 |
| Margarita Robles | Defence Minister of Spain | Spain | June 2021 |
| Fernando Grande-Marlaska | Interior Minister of Spain | Spain | 2021 |
| Luis Planas | Agriculture Minister of Spain | Spain | 2021 |
| Senior Guardia Civil officer | Counterterrorism liaison to Morocco | Spain | Number appears 5 times on target list |
| Hicham Mansouri | Moroccan investigative journalist in exile | France | Feb. to April 2021, phone infected 20+ times |
The targeting of Sánchez and Robles came during a tense diplomatic row. Madrid had allowed Brahim Ghali, president of the Sahrawi Arab Democratic Republic and leader of the Polisario Front, to be treated for Covid-19 at a hospital in northern Spain. The phones of Grande-Marlaska and Planas were revealed as targets later. The Guardian has also reported that at least 38 Moroccan journalists appear among the global list of Pegasus targets.
Spain Handed Its Highest Honor to a Man Suspected of Spying on It
Despite mounting suspicion that Morocco was behind the targeting of Spain’s own cabinet, Interior Minister Fernando Grande-Marlaska last year presented Abdellatif Hammouchi, the DGST’s director general, with the highest honor bestowed by the Guardia Civil, a gendarmerie that reports to both the interior and defence ministries.
One Guardia Civil union objected publicly. Giving the honor “to a man who has faced international accusations of human rights violations and spying,” it said, was an affront to the dignity of the force’s officers.
Court documents assembled by the Pegasus project add weight to the suspicion. One attacker account assigned to Morocco’s Pegasus system, the same one used to target politicians, journalists and human rights defenders in France, was also used to target the phones of Robles and Grande-Marlaska, according to material reviewed by the consortium.
The Codename That Ties NSO’s Paperwork to Rabat
Further evidence of Morocco’s relationship with NSO Group surfaced last year through an unrelated legal fight. WhatsApp’s parent company, Meta, sued NSO Group in US federal court, and an unsealed, redacted presentation given to the board of NSO’s parent company, Q Cyber Technologies, in early August 2018, included a list of Pegasus end-user codenames.
According to reporting by the Israeli newspaper Haaretz, NSO assigns each client country a name built from its first letter and a car manufacturer. Subaru had previously been tied to Saudi Arabia. Morgan has now been identified as Morocco, after former NSO employees confirmed to the consortium that the kingdom was a Pegasus end-user known by that name.
A separate court document released in a related WhatsApp lawsuit found Pegasus was used in a single 2019 hacking campaign against 1,223 WhatsApp users worldwide. Morocco accounted for 69 of those victims, behind only Mexico, India and Bahrain.
NSO Group was placed on a US trade blacklist in November 2021 after the Biden administration determined the company had acted “contrary to the foreign policy and national security interests of the US.” Three weeks later, the Israeli financial newspaper Calcalist reported that Israel’s defence ministry had barred a number of countries, including Morocco and the UAE, from importing Israeli cyber-technology.
Why Do Investigations in Madrid and Paris Keep Stalling?
Spain’s investigating judge closed the Pegasus inquiry in July 2023, reopened it months later after French authorities shared their own evidence, then shelved it again in January 2026. Both times, the reason traces back to Israel, which has refused to let NSO’s chief executive give a statement to Spanish investigators.
The judge said Israel’s refusal to cooperate had violated “the principle of good faith” between countries. France reopened its own probe after receiving a European Investigation Order tied to the hacking of French ministers, MPs, lawyers and journalists, but that inquiry has not produced a public attribution either.
- What we know – Safir’s account is corroborated by two other former Moroccan intelligence agents and by forensic analysis from Amnesty International’s Security Lab.
- What we know – The DGST tested Pegasus on Moroccan numbers in September 2017 before expanding to journalists and rights defenders that same month.
- What we know – No evidence of Pegasus-linked surveillance in Morocco has surfaced since late 2021.
- What’s unconfirmed – NSO Group, Morocco’s government, the UAE authorities and al-Fahad’s parent company have not responded to requests for comment.
- What’s unconfirmed – Whether Israel will ever let NSO’s chief executive testify before Spanish or French judges.
- What’s unconfirmed – Whether any prosecution in Madrid or Paris will formally name Morocco as the perpetrator.
Frequently Asked Questions
What Is Pegasus Spyware and Who Makes It?
Pegasus is spyware built by NSO Group, an Israeli company, that can infect a phone without any click from the target and then give its operator access to messages, calls, photos, location data and the device’s camera and microphone. The tool came under global scrutiny after the original Pegasus Project investigation, coordinated by Forbidden Stories with Amnesty International’s Security Lab, first published its findings in July 2021.
Has Morocco Ever Admitted Using Pegasus?
No. Rabat has denied any relationship with NSO Group since the original 2021 reporting and has filed defamation lawsuits in French courts against Amnesty International and Forbidden Stories. Moroccan officials have repeatedly said journalists investigating the claims never produced material proof of a contract with the company.
Did Spain’s Government Ever Officially Blame Morocco?
No. Spain’s 2023 Annual National Security Report left Morocco out of its espionage chapter entirely, even while naming China and Russia, according to Morocco World News. Defence Minister Margarita Robles has told parliament that the National Intelligence Center filed ten reports to the investigating judge and that the government considers itself the victim, not the source of the leak.
Did the Targeting Spill Into Other Regional Rivalries?
Yes. Separate reporting cited by Middle East Monitor said Moroccan authorities targeted more than 6,000 Algerian phone numbers, including senior politicians and military officers, in 2021, a scandal that contributed to Algeria’s decision to sever diplomatic relations with Rabat that year.
What Happened to NSO Group After the Pegasus Project?
NSO Group has faced a wave of legal fallout beyond Morocco. A US jury found the company liable for illegally hacking WhatsApp users and awarded Meta $167 million in damages, though a judge later cut that figure to $4 million. NSO Group, Morocco’s government and the UAE authorities were all approached for comment on the whistleblower’s account; none had responded by publication, and Spain’s government and its interior, foreign and defence ministries did not respond either.
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
AI1 month agoMoonshot AI Targets $30 Billion in China’s Fastest AI Funding Sprint
-
CRYPTO1 month agoXPL Rallies 30% Ahead of Plasma One Card Tier Launch
-
AI6 days agoWhatsApp Meta Business Agent Reaches India, With a New Pricing Meter
-
AI1 month agoSpaceX’s Google Deal Turns a Rocket Company Into a Cloud Landlord
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
